ISO 9001-Clause 4.

ISO 9001-Clause 4.2 Documentation requirements

4.2.1 General

ISO 9001 requirement:

The quality management system documentation shall include

a) documented statements of a quality policy and quality objectives,

b) a quality manual,

c) documented procedures and records required by this International Standard, and

d) documents, including records, determined by the organization to be necessary to

ensure the effective planning, operation and control of its processes.

NOTE 1 Where the term documented procedure appears within this International
Standard, this means that the procedure is established, documented, implemented
and maintained. A single document may address the requirements for one or more
procedures. A requirement for a documented procedure may be covered by more
than one document.

NOTE 2 The extent of the quality management system documentation can differ
from one organization to another due to

a) the size of organization and type of activities,

b) the complexity of processes and their interactions, and
c) the competence of personnel.

NOTE 3 The documentation can be in any form or type of medium.

Explanation:

Clause 4.2.1 specifies all the different types of documentation needed for your QMS.
The need to have additional documentation beyond those specified in this standard
may depend upon customer; regulatory and your own organizational requirements.
Other factors to consider may include complexity of products and processes, effect
on quality,risk of customer dissatisfaction, economic risk, effectiveness and
efficiency, competence of personnel. Clause 4.2.1d requires you to have documents
needed to ensure the effective planning, operation and control for QMS processes.
Each organization must determine what documentation is needed to achieve this
based upon complexity of products and processes, effect on quality,risk of customer
dissatisfaction, economic risk, effectiveness and efficiency, competence of
personnel.You must have documented statements of your quality policy and
objectives. A procedure is a specific way to perform an activity or process, and it may
or may not be written. If it is established, documented, implemented and maintained,
it is called a documented procedure. A document is information that is written or
recorded on some medium such as paper or computer. A document may specify
requirements for e.g. a drawing or technical specification, may provide direction for
e.g. quality plan, or show results or evidence of activities performed for e.g. records.

4.2.2 Quality manual

ISO 9001 requirement:

The organization shall establish and maintain a quality manual that includes

a) the scope of the quality management system, including details of and justification
for any exclusions (see 1.2),

b) the documented procedures established for the quality management system, or

reference to them, and

c) a description of the interaction between the processes of the quality management

system.

Explanation:

The quality manual is a special type of document that describes your QMS. Besides
describing your QMS, your quality manual could provide information on
organizational background and capabilities. It may be used by customers, regulatory
bodies, suppliers and company personnel for a variety of purposes. There are many
acceptable ways to document your quality manual. You must define the scope of
your QMS in your quality manual. Your QMS scope should include facilities
(manufacturing and support locations), products, processes, Quality Management
and other standards, etc. Customers will want to know the extent of your capabilities
and the Registrar will want to determine the time and effort needed to audit your
organization.Provide details of any clause exclusions from your scope, and
justification for it. You must justify all exclusions and remember, exclusions can only
be made from clause 7.Your quality manual must include a description of the
interaction of your QMS processes.You have flexibility in whether or not to include
your procedures and lower level documentation with your quality manual or organize
them in some other fashion. You may include all or some of your procedures in your
Quality Manual or reference them to your Quality Manual. Keep a listing or index at
the front or back of your Manual showing the complete list of your procedures
whether included or referenced.As a controlled document, the quality manual is
subject to all of the controls in clause 4.2.3.

4.2.3 Control of documents

ISO 9001 requirement:

Documents required by the quality management system shall be controlled. Records

are a special type of document and shall be controlled according to the requirements
given in 4.2.4.
A documented procedure shall be established to define the controls needed

a) to approve documents for adequacy prior to issue,

b) to review and update as necessary and re-approve documents,

c) to ensure that changes and the current revision status of documents are
identified,

d) to ensure that relevant versions of applicable documents are available at points of

use,

e) to ensure that documents remain legible and readily identifiable,

f) to ensure that documents of external origin determined by the org to be necessary

for the planning and operation of the quality management system are identified and
their distribution controlled, and

g) to prevent the unintended use of obsolete documents, and to apply suitable

identification to them if they are retained for any purpose.

Explanation:

A document is information that is written or recorded on some medium such as paper

or computer. Clause 4.2.1 tells you what documents you must include in your QMS.
All documents that you determine under clause 4.2.1 to be needed for your QMS
processes must be controlled. This clause 4.2.3 provides requirements on how these
documents must be controlled. Documents outside the QMS need not be subject to
these controls. This clause requires you to have a documented procedure. Ensure
that your procedure specifically addresses each of the control requirements, in terms
of who, what when, where and how as applicable. Your procedure must address new
and old as well as internal and external documents used by the QMS. You must
approve all new QMS documentation prior to issue. Some degree of checking,
examination or assessment is inherent in approval for adequacy. You must
periodically determine if any updating or revisions of any QMS documentation is
needed, and if they are changed, they must be re-approved for adequacy.

The frequency of this review, responsibility and method must be defined in your
procedure. This will be determined by events within your organization and how
mature or recent your QMS is. Auditors will explore this if they find that your
documents have not changed in years, while the nature of your business has
changed significantly. Identify changes made to documents so users know exactly
what has changed. There are many ways of doing this on printed as well as
computerized documents. Have a method for revision control such as a revision log
and master-list of documents which identifies the current revision status. Again, there
are other ways of doing this as well.

Not all documents need to be available everywhere within your organization. You
must determine what document is applicable (i.e. needed to assure product or
process quality) to a specific process or activity and make the relevant version of that
document available to that activity, e.g. providing current packaging and shipping
work instructions to the shipping department.Once you determine that certain
documents need to be made available at various locations, implement some form of
distribution control. There are many ways to do this. One way would be to keep a
distribution log.

Documents can take a beating in very harsh environments (covered in oil, dust, acid
eaten, weather-beaten, etc.) to the point of being illegible. You must regularly review
the condition of frequently used hard copy documents to determine whether they
need to be replaced. Documents must also be readily identifiable as to its purpose
and scope. A simple heading may suffice, (e.g. In-process Inspection Sheet).
Computerized documents are sometimes given file names that dont identify its
contents and this might require numerous files to be opened before you find the right
one. Identification also implies effective filing for timely retrieval, whether manual or
computerized. A frequent nonconformity is not being able to retrieve a document or
record because of poor filing procedures. External documents (such as customer
drawings or supplier material/part specifications) must be identified. There are many
ways to do this. One way would be to keep a manual or computer list of these
documents. Determine who needs these documents and have some form of
distribution control. Dont overlook supplier, regulatory or industry documents. Apply
applicable controls to these as well.

Obsolete documents can cause many problems if not controlled. There are many
ways to do this. One way would be to provide computerized documents in read-only
mode and make only the current version accessible at workstation computer
screens. Obsolete hard copy documents can be removed through distribution
control. Ensure your procedure a covers methods to disallow unauthorized and
unapproved or incorrect documents from being created, used or distributed.If
documents are archived, make sure that all such documents are properly identified,
indexed and filed, and preferably have controlled or restricted access to
them. Nonconformities against the document control process are one of the most
frequent audit findings. Develop appropriate performance indicators to demonstrate
effective implementation of your document control process. Examples include
number of obsolete or unauthorized documents found being used; number of
unauthorized changes found; number of instances documents were not available at
points of use; etc. Track trends in these indicators and use this information to tighten
your controls and continually improve your document control process. Use the
PDCA to plan, implement, measure and improve your document control process.

4.2.4 Control of records

ISO 9001 requirement:

Records established to provide evidence of conformity to requirements and of the

effective operation of the quality management system shall be controlled.

The organization shall establish a documented procedure to define the controls

needed for the identification, storage, protection, retrieval, retention and disposition
of records.

Records shall remain legible, readily identifiable and retrievable.

Explanation:
A record is a special type of document that provides written evidence of results
achieved or activity performed (e.g. an inspection record). Records provide one of
the strongest forms of evidence of maintaining and demonstrating the effectiveness
of your QMS. Ensure that your documented procedure for control of QMS records
addresses each of the control requirements specified in this clause, in terms of who,
what when, where and how. These controls apply to all QMS records whether they
are hard copy or computerized.ISO 9001 calls for many records. Some records are
specified, while others are implied. The onus is on you to demonstrate or provide
evidence (records) of conformity to requirements, whether the specific clauses ask
for records or not. Requirements for records may originate from the customer,
regulatory, industry, or within your organization. Ensure you maintain records to
conform to all of these as applicable. Records may also come from suppliers and
vendors. All these records are subject to the above controls. The comments under
document control regarding legibility, being identifiable and retrievable apply equally
to QMS records.

Readily identifiable relates to easily determining the purpose and scope of the
record, e.g. an inspection record for a product at final inspection. The design of QMS
records must prevent confusion or ambiguity in the completion and use of records.
Records must be written legibly to be useful. Also make sure that they are not
exposed to unauthorized change or alteration. For the duration that they are kept,
store records in locations and mediums that will protect against unauthorized access
and environmental damage (covered in oil, dust, acid eaten, weather-beaten, etc.).
Regularly review the condition of records. The indexing and filing of records
(hardcopy or computer) must ensure easy retrieval. Keep a listing of all the different
categories of records and define the retention times associated with each category
(inspection and test; sales and purchasing; management review; calibration; training;
etc). Retention times are typically determined by customer, regulatory, industry or
organizational requirements and policies.

Records must eventually be disposed off once past their defined retention times.
Disposition could range from permanent destruction of records to permanent storage
in a secure onsite or off-site archive. The intent here is to remove the risk of
inadvertent use and availability for current activities and unauthorized access.
Depending upon the industry, specific records may be kept indefinitely.

Nonconformities against the process for control of records arise frequently. Develop
appropriate performance indicators to demonstrate effective implementation of your
record control process. Examples of indicators could include number of instances
of inability to retrieve records; amount of time spent looking for records; number of
instances of incomplete records; number of instances of damaged records found;
etc. Track trends in these indicators and use this information to tighten your controls
and continually improve your record control process. Use the PDCA to plan,
implement, measure and improve your process for record control.

Audit Checklist

An audit checklist should cover these areas:

 Does the documented Quality Management System (QMS) include a Quality
Policy, Quality Objectives, Quality Manual, Procedures, Work Instructions and
Records?

How does the Quality Manual address the ISO requirements? Does it show
the the exclusions which are not applicable? Does it have the all the procedures
or reference of Procedures?

Does it covers the mandatory 6 Procedures and 19 Records, as required by

ISO 9001 std?

How are QMS controlled documents identified? (Master List?)

Are personnel using up-to-date instructional QMS documents?

How are these QMS documents kept current? What triggers a review?

How was the last new QMS document issued? How was the last change or
revision handled? Who approved these changes?

How are new/ changed QMS documents communicated? Was any training
done?

Is there a list of QMS records that are controlled? Verify through sampling that
they exist, are legible, are retained, and kept in a secure/safe location. Look at
both electronic and paper records.

Mandatory Procedure:
Clause 4.2.1: Not applicable
Clause 4.2.2: Quality Manual
Clause 4.2.3: Procedure for control of Document